From ab5cfab5be64cfb5e01c2b660587da43b3097cad Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 10:46:40 -0700 Subject: Added checking of gpg.conf for keyserver. --- debian/changelog | 3 ++- src/monkeysphere | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 160d1d6..e80e48a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,8 +12,9 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low keys. This will prevent malicious bad keys from causing good keys to be removed from key files. * enabled host key publication. + * added checking of gpg.conf for keyserver - -- Jameson Graef Rollins Fri, 15 Aug 2008 00:48:22 -0700 + -- Jameson Graef Rollins Fri, 15 Aug 2008 10:46:23 -0700 monkeysphere (0.7-1) experimental; urgency=low diff --git a/src/monkeysphere b/src/monkeysphere index 8ddfe7f..6d9e6c3 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -191,7 +191,16 @@ mkdir -p -m 0700 "$MONKEYSPHERE_HOME" # set empty config variables with ones from the environment, or from # config file, or with defaults GNUPGHOME=${MONKEYSPHERE_GNUPGHOME:=${GNUPGHOME:="${HOME}/.gnupg"}} -KEYSERVER=${MONKEYSPHERE_KEYSERVER:=${KEYSERVER:="subkeys.pgp.net"}} +KEYSERVER=${MONKEYSPHERE_KEYSERVER:="$KEYSERVER"} +# if keyserver not specified in env or monkeysphere.conf, +# look in gpg.conf +if [ -z "$KEYSERVER" ] ; then + if [ -f "${GNUPGHOME}/gpg.conf" ] ; then + KEYSERVER=$(grep -e "^[[:space:]]*keyserver " "${GNUPGHOME}/gpg.conf" | tail -1 | awk '{ print $2 }') + fi +fi +# if it's still not specified, use the default +KEYSERVER=${KEYSERVER:="subkeys.pgp.net"} CHECK_KEYSERVER=${MONKEYSPHERE_CHECK_KEYSERVER:=${CHECK_KEYSERVER:="true"}} KNOWN_HOSTS=${MONKEYSPHERE_KNOWN_HOSTS:=${KNOWN_HOSTS:="${HOME}/.ssh/known_hosts"}} HASH_KNOWN_HOSTS=${MONKEYSPHERE_HASH_KNOWN_HOSTS:=${HASH_KNOWN_HOSTS:="true"}} -- cgit v1.2.3 From 056974d26f2358af59682a90029ed1739a4478ee Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 10:48:02 -0700 Subject: closing bug. --- .../bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn b/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn index 3fbf19f..85f79f1 100644 --- a/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn +++ b/website/bugs/monkeysphere-should-respect-keyserver-settings-in-gpg.mdwn @@ -16,3 +16,7 @@ following order instead: * default value of subkeys.pgp.net -- Sir Jam Jam + +--- + +[[bugs/done]] 2008-08-15 in ab5cfab5be64cfb5e01c2b660587da43b3097cad -- cgit v1.2.3 From dd26d5acdc42dac6e39ed2f94eb0b5b795e58874 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 14:18:24 -0400 Subject: switched jrollins repo to use the git protocol --- website/download.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/download.mdwn b/website/download.mdwn index 982f88f..3c2f3c5 100644 --- a/website/download.mdwn +++ b/website/download.mdwn @@ -28,7 +28,7 @@ The git repo from this web site: [Jameson Graef Rollins](http://cmrg.fifthhorseman.net/wiki/jrollins): - git clone http://lair.fifthhorseman.net/~jrollins/git/monkeysphere.git monkeysphere + git clone git://lair.fifthhorseman.net/~jrollins/monkeysphere monkeysphere [Daniel Kahn Gillmor](http://cmrg.fifthhorseman.net/wiki/dkg): -- cgit v1.2.3 From 617f03c948b66774e6765206bed2c56d30157187 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 14:44:18 -0400 Subject: first pass at revoking hostnames. --- debian/changelog | 1 + src/common | 7 +++++++ src/monkeysphere-server | 32 +++++++++++++++++++++++++++++++- 3 files changed, 39 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index e80e48a..59aea1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low of my own. * More monkeysphere-server diagnostics * monkeysphere --gen-subkey now guesses what KeyID you meant. + * set up host-key revocation [ Jameson Graef Rollins ] * fix another bug for when ssh key files are missing. diff --git a/src/common b/src/common index 17955a7..24decae 100644 --- a/src/common +++ b/src/common @@ -76,6 +76,13 @@ unescape() { echo "$1" | sed 's/\\x3a/:/g' } +# convert nasty chars into gpg-friendly form +# FIXME: escape everything, not just colons! +escape() { + echo "$1" | sed 's/:/\\x3a/g' +} + + # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 023ce9b..6ffd41f 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -402,11 +402,41 @@ EOF # revoke hostname user ID to server key revoke_hostname() { + local msg + local uidNum + local tmpuidMatch + local fpr + local linenum + if [ -z "$1" ] ; then failure "You must specify a hostname to revoke." fi - failure "Sorry, not yet implemented." + fpr=$(fingerprint_server_key) + tmpuidMatch="u:$(escape "$1")" + + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + uidNum=${linenum%%:*} + else + failure "no non-revoked hostname '$1' is listed." + fi + + msg="hostname removed by monkeysphere-server on $(date +%F)" + + + revuidCommand=$(cat < Date: Fri, 15 Aug 2008 14:58:34 -0400 Subject: sigh. fixing some dumb typos in hostname revocation. --- src/monkeysphere-server | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6ffd41f..dd85dcc 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -413,9 +413,9 @@ revoke_hostname() { fi fpr=$(fingerprint_server_key) - tmpuidMatch="u:$(escape "$1")" + tmpuidMatch="u:$(escape "ssh://$1")" - if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "$fpr" | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F 'r:Foo T. Bar (DO NOT USE!) ') ; then + if linenum=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x$fpr"\! | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then uidNum=${linenum%%:*} else failure "no non-revoked hostname '$1' is listed." @@ -436,7 +436,7 @@ save EOF ) - echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fingerprint"\! + echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x$fpr"\! echo "NOTE: host userID revokation has not been published." echo "Use '$PGRM publish-key' to publish these changes." -- cgit v1.2.3 From d686f4a38a283db78c7922db5c16b9de98d640b9 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:01:08 -0400 Subject: closing multiple-hostnames bug now that we have an implementation. --- website/bugs/multiple-hostnames.mdwn | 2 ++ 1 file changed, 2 insertions(+) diff --git a/website/bugs/multiple-hostnames.mdwn b/website/bugs/multiple-hostnames.mdwn index 7597af5..f4920fd 100644 --- a/website/bugs/multiple-hostnames.mdwn +++ b/website/bugs/multiple-hostnames.mdwn @@ -35,3 +35,5 @@ probably prompt the administrator to re-publish the host key as well, to ensure that the new User IDs are published. --dkg + +[[bugs/done]] on 2008-08-15 15:00:02-0400 in 84b775ff0b36ec4b86e6708844ad2d678eced403 -- cgit v1.2.3 From 74a7b27673d1b7a19c6877a89c8651886c9abfe6 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:17:47 -0400 Subject: fixing proposed script to push authentication subkeys into the ssh-agent. --- website/bugs/handle-passphrase-locked-secret-keys.mdwn | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/website/bugs/handle-passphrase-locked-secret-keys.mdwn b/website/bugs/handle-passphrase-locked-secret-keys.mdwn index b66e4c7..ae5bf72 100644 --- a/website/bugs/handle-passphrase-locked-secret-keys.mdwn +++ b/website/bugs/handle-passphrase-locked-secret-keys.mdwn @@ -36,8 +36,10 @@ work for reasonable values of `$KEYID`: mkfifo "$TMPDIR/passphrase" kname="MonkeySphere Key $KEYID" mkfifo "$TMPDIR/$kname" - ssh-agent "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & - gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" + ssh-askpass "Please enter the passphrase for MonkeySphere key $KEYID" >"$TMPDIR/passphrase" & + gpg --passphrase-fd 3 3<"$TMPDIR/passphrase" \ + --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes \ + --export-secret-subkeys "$KEYID"\! | openpgp2ssh "$KEYID" > "$TMPDIR/$kname" & (cd "$TMPDIR" && ssh-add -c "$kname") rm -rf "$TMPDIR" -- cgit v1.2.3 From b0ea15c8e359a908583e08da0663d69e353c77dc Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 15:24:34 -0400 Subject: fixing bugs in monkeysphere-server diagnostics. --- src/monkeysphere-server | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index dd85dcc..2b9b744 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -468,7 +468,10 @@ diagnostics() { local uid local fingerprint local badhostkeys + local sshd_config + # FIXME: what's the correct, cross-platform answer? + sshd_config=/etc/ssh/sshd_config seckey=$(fingerprint_server_key) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) @@ -545,14 +548,14 @@ diagnostics() { fi # propose changes needed for sshd_config (if any) - if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" + if ! grep -q "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$" "$sshd_config"; then + echo "! $sshd_config does not point to the monkeysphere host key (${VARLIB}/ssh_host_rsa_key)." + echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" fi - if badhostkeys=$(grep -i '^HostKey' | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then + if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" - echo " - Recommendation: remove the above HostKey lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above HostKey lines from $sshd_config" fi fi fi @@ -568,14 +571,14 @@ diagnostics() { echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: - if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" /etc/ssh/sshd_config; then - echo "! /etc/ssh/sshd_config does not point to monkeysphere authorized keys." - echo " - Recommendation: add a line to /etc/ssh/sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" + if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then + echo "! $sshd_config does not point to monkeysphere authorized keys." + echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" fi - if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then + if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" - echo " - Recommendation: remove the above AuthorizedKeysFile lines from /etc/ssh/sshd_config" + echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" fi } -- cgit v1.2.3 From 8cf936aa9d62f6e8655904375a2d8217f559947a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 13:02:05 -0700 Subject: more work on hostname add/revoke --- src/common | 13 ++++---- src/monkeysphere-server | 89 +++++++++++++++++++++++++++++++++++++++++-------- 2 files changed, 82 insertions(+), 20 deletions(-) diff --git a/src/common b/src/common index 17955a7..34c86cb 100644 --- a/src/common +++ b/src/common @@ -69,11 +69,12 @@ file_hash() { md5sum "$1" 2> /dev/null } -# convert escaped characters from gpg output back into original -# character -# FIXME: undo all escape character translation in with-colons gpg output -unescape() { - echo "$1" | sed 's/\\x3a/:/g' +# convert escaped characters in pipeline from gpg output back into +# original character +# FIXME: undo all escape character translation in with-colons gpg +# output +gpg_unescape() { + sed 's/\\x3a/:/g' } # remove all lines with specified string from specified file @@ -398,7 +399,7 @@ process_user_id() { continue fi # if the user ID does not match, skip - if [ "$(unescape "$uidfpr")" != "$userID" ] ; then + if [ "$(echo "$uidfpr" | gpg_unescape)" != "$userID" ] ; then continue fi # if the user ID validity is not ok, skip diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 023ce9b..31bce7d 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -100,17 +100,19 @@ gpg_authentication() { su_monkeysphere_user "gpg $@" } -# output key information -show_server_key() { - gpg_host --list-secret-keys --fingerprint -} - # output just key fingerprint fingerprint_server_key() { gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode | \ grep '^fpr:' | head -1 | cut -d: -f10 } +# output key information +show_server_key() { + local fingerprint + fingerprint=$(fingerprint_server_key) + gpg_host --fingerprint --list-secret-key "$fingerprint" +} + # update authorized_keys for users update_users() { if [ "$1" ] ; then @@ -371,52 +373,111 @@ EOF # add hostname user ID to server key add_hostname() { + local userID + local fingerprint + local adduidCommand + if [ -z "$1" ] ; then failure "You must specify a hostname to add." fi userID="ssh://${1}" - if [ "$(gpg_host --list-key "=${userID}")" ] ; then + if [ "$(gpg_host --list-key "=${userID}" 2> /dev/null)" ] ; then failure "Host userID '$userID' already exists." fi + echo "The following user ID will be added to the host key:" + echo " '$userID'" + read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "user ID not added." + fi + fingerprint=$(fingerprint_server_key) + # edit-key script command to add user ID adduidCommand=$(cat < /dev/null | \ + egrep "^(uid|uat):" | cut -d: -f10 | gpg_unescape | cat -n | \ + grep "$userID" | awk '{ print $1 }') + + if [ -z "$uidIndex" ] ; then + failure "User ID '$userID' not found in host key." + fi - echo "NOTE: host userID revokation has not been published." - echo "Use '$PGRM publish-key' to publish these changes." + echo "The following user ID will be revoked from the host key:" + echo " '$userID'" + read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "user ID not revoked." + fi + + # edit-key script command to revoke user ID + revuidCommand=$(cat < Date: Fri, 15 Aug 2008 16:51:35 -0400 Subject: fixing gen-subkey when no agent is present. --- debian/changelog | 3 ++- debian/control | 2 +- src/monkeysphere | 14 ++++++++++++-- .../bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn | 7 +++++++ 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/debian/changelog b/debian/changelog index 59aea1e..e6dfccd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low * More monkeysphere-server diagnostics * monkeysphere --gen-subkey now guesses what KeyID you meant. * set up host-key revocation + * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey works [ Jameson Graef Rollins ] * fix another bug for when ssh key files are missing. @@ -15,7 +16,7 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low * enabled host key publication. * added checking of gpg.conf for keyserver - -- Jameson Graef Rollins Fri, 15 Aug 2008 10:46:23 -0700 + -- Daniel Kahn Gillmor Fri, 15 Aug 2008 16:06:31 -0400 monkeysphere (0.7-1) experimental; urgency=low diff --git a/debian/control b/debian/control index 0b3d871..7fbcbc7 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Format: 3.0 (git) Package: monkeysphere Architecture: any Depends: openssh-client, gnupg | gnupg2, coreutils (>= 6), moreutils, lockfile-progs, adduser, ${shlibs:Depends} -Recommends: netcat | socat +Recommends: netcat | socat, ssh-askpass Enhances: openssh-client, openssh-server Description: use the OpenPGP web of trust to verify ssh connections SSH key-based authentication is tried-and-true, but it lacks a true diff --git a/src/monkeysphere b/src/monkeysphere index 6d9e6c3..57597e2 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -48,7 +48,6 @@ EOF } # generate a subkey with the 'a' usage flags set -# FIXME: this needs some tweaking to clean it up gen_subkey(){ local keyLength local keyExpire @@ -163,7 +162,18 @@ EOF ) log "generating subkey..." - echo "$editCommands" | gpg --expert --command-fd 0 --edit-key "$keyID" + fifoDir=$(mktemp -d) + (umask 077 && mkfifo "$fifoDir/pass") + echo "$editCommands" | gpg --passphrase-fd 3 3< "$fifoDir/pass" --expert --command-fd 0 --edit-key "$keyID" & + + if [ "$DISPLAY" ] && which ssh-askpass >/dev/null; then + ssh-askpass "Please enter your passphrase for $keyID: " > "$fifoDir/pass" + else + read -s -p "Please enter your passphrase for $keyID: " PASS + echo "$PASS" > "$fifoDir/pass" + fi + rm -rf "$fifoDir" + wait log "done." } diff --git a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn index 51cf57e..e97b49c 100644 --- a/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn +++ b/website/bugs/monkeysphere-gen-subkey-fails-without-agent.mdwn @@ -135,3 +135,10 @@ it. Alternately, we could use `--passwd-fd` and `ssh-agent`, along the lines i proposed [for handling passphrase-locked secret keys](/bugs/handle-passphrase-locked-secret-keys). + +--- + +[[bugs/done]] as of 2008-08-15 16:48:26-0400 (to be released in 0.8-1) + +I opted to go with the `ssh-askpass` route, and fall back to echoing +stuff to a fifo directly if `ssh-askpass` is not available. -- cgit v1.2.3 From c9acc1237d8e21d74fe7070af1b061c888664e8b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 15 Aug 2008 17:19:58 -0400 Subject: noting that list-identity-certifiers should be running as a non-privileged user. --- website/bugs/list-id-certifiers-should-run-non-priv.mdwn | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 website/bugs/list-id-certifiers-should-run-non-priv.mdwn diff --git a/website/bugs/list-id-certifiers-should-run-non-priv.mdwn b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn new file mode 100644 index 0000000..3cbd1af --- /dev/null +++ b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn @@ -0,0 +1,15 @@ +[[meta title="list-identity-certfiers should run as the non-privileged user"]] + +Right now, `monkeysphere-server list-identity-certifiers` runs as the +superuser, and just lists the keys in the host's keyring. This might +not be the actual list of valid id certifiers, for a number of reasons: + +* the keys themselves might have been revoked by the owner + +* the id-certifiers might have been added with a different trust + level, or a regexp/domain limitation. + +It would make more sense to derive the list of trusted certifiers +directly from the keyrings as seen by the non-privileged +`monkeysphere` user, since this user's keyrings are what are going to +judge the validity of various user IDs. -- cgit v1.2.3 From 9806e7372feb98c9acdbe0b3e428609539b40aa5 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 16 Aug 2008 01:14:07 -0400 Subject: added "Why?" to the web site. --- website/index.mdwn | 13 +++--- website/why.mdwn | 126 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 133 insertions(+), 6 deletions(-) create mode 100644 website/why.mdwn diff --git a/website/index.mdwn b/website/index.mdwn index 853c75b..652f195 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -9,7 +9,7 @@ yourself and the servers you administer or connect to. OpenPGP keys are tracked via GnuPG, and managed in the `known_hosts` and `authorized_keys` files used by OpenSSH for connection authentication. -[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] +[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [[why should i be interested|why]] ## Conceptual overview ## @@ -26,13 +26,14 @@ keys for authenticating to a server (known as "`PubkeyAuthentication`"), rather than relying on a password exchange. But again, the public part of the key needs to be transmitted to the server through a secure out-of-band channel (usually via a separate -password-based SSH connection) in order for this type of -authentication to work +password-based SSH connection or a (hopefully signed) e-mail to the +system administrator) in order for this type of authentication to +work. [OpenSSH](http://openssh.com/) currently provides a functional way to -managing the RSA and DSA keys required for these interactions through -the `known_hosts` and `authorized_keys` files. However, it lacks -any type of [Public Key Infrastructure +manage the RSA and DSA keys required for these interactions through +the `known_hosts` and `authorized_keys` files. However, it lacks any +type of [Public Key Infrastructure (PKI)](http://en.wikipedia.org/wiki/Public_Key_Infrastructure) that can verify that the keys being used really are the one required or expected. diff --git a/website/why.mdwn b/website/why.mdwn new file mode 100644 index 0000000..7f69614 --- /dev/null +++ b/website/why.mdwn @@ -0,0 +1,126 @@ +[[meta title="Why should you be interested in the MonkeySphere?"]] + +# Why should you be interested in the MonkeySphere? # + +## As an `ssh` user ## + +Do you use `ssh` to connect to remote machines? Are you tired of +seeing messages like this? + + The authenticity of host 'foo.example.org (192.0.2.3)' can't be established. + RSA key fingerprint is 17:f4:2b:22:90:d4:98:9a:a2:c5:95:4e:4a:89:be:90. + Are you sure you want to continue connecting (yes/no)? + +Do you actually tediously check the fingerprint against a +cryptographically-signed message from the admin, or do you just cross +your fingers and type "yes"? Do you wish there was a better way to do +it? Shouldn't our tools be able to figure this out automatically? + +Do you use `ssh`'s public key authentication for convenience and/or +added security? Have you ever worried about what might happen if you +lose control of your key? (Or did you have a key that was compromised +by [the OpenSSL debacle](http://bugs.debian.org/363516)?) How many +accounts/machines would you need to clean up to ensure that your old, +bad key is no longer in use? + +Have you ever wished you could phase out an old key and start using a +new one without having to comb through every single account you have +ever connected to? + +## As an `sshd` administrator ## + +If you are a system administrator, have you ever tried to re-key an +SSH server? How did you ease the change along to your users? How did +you keep them from getting the big scary warning messages? + +Have you ever wanted to allow a colleague key-based access to a +machine, *without* needing to have a copy of their public key on hand? + +Have you ever wanted to be able to revoke the ability of a key to +authenticate across the entire infrastructure you manage, without +touching each host by hand? + +## What's the connection? ## + +These questions all stem from rough edges we run up against in regular +use of SSH that could be improved by a decent [Public Key +Infrastructure (or +PKI)](http://dictionary.die.net/public%20key%20infrastructure). A PKI +at its core is a mechanism to provide answers to a few basic +questions: + +* Do we know who a key actually belongs to? How do we know? +* Is the key still valid for use? + +Given a clearly stated set of initial assumptions, functional +cryptographic tools, and a PKI, these questions can be clearly +answered in an automated fashion. We should not need to ask humans to +do complicated, error-prone things (e.g. checking host key +fingerprints) except in relatively rare situations (e.g. when two +people meet in person for the first time). + +The good news is that this is all possible, and available with free +tools! + +## Examples ## + +Bob is an `ssh` user, and has just been given an account on +`foo.example.org` by Alice, the `example.org` system administrator, +who he knows. + +Bob already trusts Alice to properly identify all `example.org` +servers. Alice already knows who Bob is, and the new machine `foo` +knows that it can rely on Alice's certifications because Alice is its +administrator. + +Alice can set up the new `bob` account on `foo.example.org` without +needing to give Bob a new passphrase to remember, and without needing +to even know Bob's current SSH key. She simply tells `foo` that `Bob +` should have access to the `bob` account. + +Bob's first connection to his new `bob` account on `foo.example.org` +is seamless, because all the steps are already in place! Using the +MonkeySphere, Bob never has to "accept" an unintelligible host key or +type a password. + +When Bob decides to change the key he uses for SSH authentication, he +can do so at once: he generates a new key, revokes his old key, and +publishes these changes to the public keyservers. The next time he's +ready to log into `foo.example.org`, it accepts his new key -- and it +*won't* accept his old key any longer. + +The same thing works for Alice when she decides to re-key +`foo.example.org` (let's say Alice learned that Eve has compromised +the old key). Alice generates a new key, revokes the old one, +publishes the changes, and the next time Bob connects, he connects as +smoothly as ever. And if Eve tries to use the old host key to +masquerade as `foo`, Bob's SSH client will refuse to let him connect! + +Alice can even quit as `example.org` system administrator, and revoke +her certifications of all `example.org` hosts. As long as Bob knows +and trusts the new `example.org` system administrator to identify +hosts in that domain, there's no problem. + +## Why OpenPGP? ## + +We believe that OpenPGP is the right PKI to use for this project. It +allows a very flexible trust model, ranging all over the map, at the +choice of the user: + +* individual per-host certifications by each client (much like the + stock OpenSSH behavior), + +* strict centralized Certificate Authorities (much like proposed X.509 + models), and + +* a more human-centric model that recognizes individual differences in + ranges of trust and acceptance. + +Even if Bob *doesn't* trust Alice to identify *all* `example.org` +hosts, his first connection to `foo.example.org` should give him more +than an unintelligible string to accept or reject. It should also +give him the information that Alice (and perhaps her colleague +Charles) have certified the key. This is far more useful information +than the current infrastructure allows, and is more meaningful to +actual humans using these tools than some message like "Certified by +GloboTrust". -- cgit v1.2.3 From bcc7aeea4e3e4a0175525259f22d07b0caf3e10b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 16 Aug 2008 01:15:25 -0400 Subject: fixing website index link --- website/index.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/index.mdwn b/website/index.mdwn index 652f195..91da45d 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -9,7 +9,7 @@ yourself and the servers you administer or connect to. OpenPGP keys are tracked via GnuPG, and managed in the `known_hosts` and `authorized_keys` files used by OpenSSH for connection authentication. -[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [[why should i be interested|why]] +[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [["why should i be interested?"|why]] ## Conceptual overview ## -- cgit v1.2.3 From ae661bf9fd9ce62069a99bb9de16df8b44beee8a Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 16 Aug 2008 01:18:08 -0400 Subject: fixing website index link again --- website/index.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/index.mdwn b/website/index.mdwn index 91da45d..8ff984d 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -9,7 +9,7 @@ yourself and the servers you administer or connect to. OpenPGP keys are tracked via GnuPG, and managed in the `known_hosts` and `authorized_keys` files used by OpenSSH for connection authentication. -[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [["why should i be interested?"|why]] +[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [why should i be interested?](/why) ## Conceptual overview ## -- cgit v1.2.3 From a29b35e69d0fab5f2de42ed5edd9512a6552e75a Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Fri, 15 Aug 2008 15:27:11 -0700 Subject: More work on finishing add/revoke hostname functions. Improved list-certifiers function, to use non-priviledged user. --- debian/changelog | 3 +- src/monkeysphere | 12 ++--- src/monkeysphere-server | 120 +++++++++++++++++++++++++++++++++--------------- 3 files changed, 90 insertions(+), 45 deletions(-) diff --git a/debian/changelog b/debian/changelog index 64c2a09..af4d94b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -15,8 +15,9 @@ monkeysphere (0.8-1) UNRELEASED; urgency=low * enabled host key publication. * added checking of gpg.conf for keyserver * new functions to add/revoke host key user IDs + * improved list-certifiers function (now non-priviledged) - -- Jameson Graef Rollins Fri, 15 Aug 2008 15:02:48 -0700 + -- Jameson Graef Rollins Fri, 15 Aug 2008 15:57:14 -0700 monkeysphere (0.7-1) experimental; urgency=low diff --git a/src/monkeysphere b/src/monkeysphere index 57597e2..f959a38 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -37,12 +37,12 @@ usage: $PGRM [options] [args] MonkeySphere client tool. subcommands: - update-known_hosts (k) [HOST]... update known_hosts file - update-authorized_keys (a) update authorized_keys file - gen-subkey (g) KEYID generate an 'a' capable subkey - -l|--length BITS key length in bits (2048) - -e|--expire EXPIRE date to expire - help (h,?) this help + update-known_hosts (k) [HOST]... update known_hosts file + update-authorized_keys (a) update authorized_keys file + gen-subkey (g) KEYID generate an 'a' capable subkey + --length (-l) BITS key length in bits (2048) + --expire (-e) EXPIRE date to expire + help (h,?) this help EOF } diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 69395a4..fcd3114 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -40,9 +40,9 @@ subcommands: update-users (u) [USER]... update user authorized_keys files gen-key (g) [NAME[:PORT]] generate gpg key for the server - -l|--length BITS key length in bits (2048) - -e|--expire EXPIRE date to expire - -r|--revoker FINGERPRINT add a revoker + --length (-l) BITS key length in bits (2048) + --expire (-e) EXPIRE date to expire + --revoker (-r) FINGERPRINT add a revoker add-hostname (n+) NAME[:PORT] add hostname user ID to server key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID show-key (s) output all server host key information @@ -51,15 +51,16 @@ subcommands: diagnostics (d) report on server monkeysphere status add-id-certifier (c+) KEYID import and tsign a certification key - -n|--domain DOMAIN limit ID certifications to DOMAIN - -t|--trust TRUST trust level of certifier (full) - -d|--depth DEPTH trust depth for certifier (1) + --domain (-n) DOMAIN limit ID certifications to DOMAIN + --trust (-t) TRUST trust level of certifier (full) + --depth (-d) DEPTH trust depth for certifier (1) remove-id-certifier (c-) KEYID remove a certification key list-id-certifiers (c) list certification keys gpg-authentication-cmd CMD gnupg-authentication command - -h|--help|help (h,?) this help + help (h,?) this help + EOF } @@ -102,7 +103,8 @@ gpg_authentication() { # output just key fingerprint fingerprint_server_key() { - gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode | \ + gpg_host --list-secret-keys --fingerprint \ + --with-colons --fixed-list-mode 2> /dev/null | \ grep '^fpr:' | head -1 | cut -d: -f10 } @@ -393,7 +395,7 @@ add_hostname() { # find the index of the requsted user ID # NOTE: this is based on circumstantial evidence that the order of # this output is the appropriate index - if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}"\! \ + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \ | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then failure "Host userID '$userID' already exists." fi @@ -402,7 +404,7 @@ add_hostname() { echo " $userID" read -p "Are you sure you would like to add this user ID? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then - failure "user ID not added." + failure "User ID not added." fi # edit-key script command to add user ID @@ -416,14 +418,15 @@ EOF ) # execute edit-key script - if echo "$adduidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! ; then + if echo "$adduidCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then # update trust db gpg_host --check-trustdb show_server_key - echo "NOTE: User ID added but key not published." - echo "Run '$PGRM publish-key' to publish the key" + echo "NOTE: User ID added to key, but key not published." + echo "Run '$PGRM publish-key' to publish the new user ID." else failure "Problem adding user ID." fi @@ -453,18 +456,18 @@ revoke_hostname() { # find the index of the requsted user ID # NOTE: this is based on circumstantial evidence that the order of # this output is the appropriate index - if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}"\! \ + if line=$(gpg_host --list-keys --with-colons --fixed-list-mode "0x${fingerprint}!" \ | egrep '^(uid|uat):' | cut -f2,10 -d: | grep -n -x -F "$tmpuidMatch") ; then uidIndex=${line%%:*} else failure "No non-revoked user ID '$userID' is found." fi - echo "The following user ID will be revoked from the host key:" + echo "The following host key user ID will be revoked:" echo " $userID" read -p "Are you sure you would like to revoke this user ID? (y/N) " OK; OK=${OK:=N} if [ ${OK/y/Y} != 'Y' ] ; then - failure "user ID not revoked." + failure "User ID not revoked." fi message="Hostname removed by monkeysphere-server $DATE" @@ -483,14 +486,15 @@ EOF ) # execute edit-key script - if echo "$revuidCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! ; then + if echo "$revuidCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then # update trust db gpg_host --check-trustdb show_server_key - echo "NOTE: User ID revoked but key not published." - echo "Run '$PGRM publish-key' to publish the key" + echo "NOTE: User ID revoked, but revokation not published." + echo "Run '$PGRM publish-key' to publish the revocation." else failure "Problem revoking user ID." fi @@ -507,7 +511,7 @@ publish_server_key() { fingerprint=$(fingerprint_server_key) # publish host key - gpg_authentication "--keyserver $KEYSERVER --send-keys $fingerprint" + gpg_authentication "--keyserver $KEYSERVER --send-keys '0x${fingerprint}!'" } diagnostics() { @@ -593,6 +597,7 @@ diagnostics() { # have a way to do that after key generation?) # Ensure that the ssh_host_rsa_key file is present and non-empty: + echo echo "Checking host SSH key..." if [ ! -s "${VARLIB}/ssh_host_rsa_key" ] ; then echo "! The host key as prepared for SSH (${VARLIB}/ssh_host_rsa_key) is missing or empty." @@ -607,7 +612,7 @@ diagnostics() { echo " - Recommendation: add a line to $sshd_config: 'HostKey ${VARLIB}/ssh_host_rsa_key'" fi if badhostkeys=$(grep -i '^HostKey' "$sshd_config" | grep -q -v "^HostKey[[:space:]]\+${VARLIB}/ssh_host_rsa_key$") ; then - echo "! /etc/sshd_config refers to some non-monkeysphere host keys:" + echo "! $sshd_config refers to some non-monkeysphere host keys:" echo "$badhostkeys" echo " - Recommendation: remove the above HostKey lines from $sshd_config" fi @@ -623,6 +628,7 @@ diagnostics() { # FIXME: make sure that at least one identity certifier exists + echo echo "Checking for MonkeySphere-enabled public-key authentication for users ..." # Ensure that User ID authentication is enabled: if ! grep -q "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$" "$sshd_config"; then @@ -630,7 +636,7 @@ diagnostics() { echo " - Recommendation: add a line to $sshd_config: 'AuthorizedKeysFile ${VARLIB}/authorized_keys/%u'" fi if badauthorizedkeys=$(grep -i '^AuthorizedKeysFile' "$sshd_config" | grep -q -v "^AuthorizedKeysFile[[:space:]]\+${VARLIB}/authorized_keys/%u$") ; then - echo "! /etc/sshd_config refers to non-monkeysphere authorized_keys files:" + echo "! $sshd_config refers to non-monkeysphere authorized_keys files:" echo "$badauthorizedkeys" echo " - Recommendation: remove the above AuthorizedKeysFile lines from $sshd_config" fi @@ -692,30 +698,35 @@ add_certifier() { export keyID # get the key from the key server - gpg_authentication "--keyserver $KEYSERVER --recv-key '$keyID'" + gpg_authentication "--keyserver $KEYSERVER --recv-key '0x${keyID}!'" # get the full fingerprint of a key ID - fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint $keyID" | \ + fingerprint=$(gpg_authentication "--list-key --with-colons --with-fingerprint 0x${keyID}!" | \ grep '^fpr:' | grep "$keyID" | cut -d: -f10) + if [ -z "$fingerprint" ] ; then + failure "Key '$keyID' not found." + fi + + echo echo "key found:" - gpg_authentication "--fingerprint $fingerprint" + gpg_authentication "--fingerprint 0x${fingerprint}!" - echo "Are you sure you want to add this key as a certifier of" - read -p "users on this system? (y/N) " OK; OK=${OK:-N} + echo "Are you sure you want to add the above key as a" + read -p "certifier of users on this system? (y/N) " OK; OK=${OK:-N} if [ "${OK/y/Y}" != 'Y' ] ; then - failure "aborting." + failure "Identity certifier not added." fi # export the key to the host keyring - gpg_authentication "--export $keyID" | gpg_host --import + gpg_authentication "--export 0x${fingerprint}!" | gpg_host --import if [ "$trust" == marginal ]; then trustval=1 elif [ "$trust" == full ]; then trustval=2 else - failure "trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)" + failure "Trust value requested ('$trust') was unclear (only 'marginal' or 'full' are supported)." fi # ltsign command @@ -732,10 +743,17 @@ EOF ) # ltsign the key - echo "$ltsignCommand" | gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}"\! + if echo "$ltsignCommand" | \ + gpg_host --quiet --command-fd 0 --edit-key "0x${fingerprint}!" ; then - # update the trustdb for the authentication keyring - gpg_authentication "--check-trustdb" + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" + + echo + echo "Identity certifier added." + else + failure "Problem adding identify certifier." + fi } # delete a certifiers key from the host keyring @@ -748,16 +766,42 @@ remove_certifier() { failure "You must specify the key ID of a key to remove." fi - # delete the requested key (with prompting) - gpg_host --delete-key "$keyID" + if gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key 0x${keyID}!" ; then + read -p "Really remove above listed identity certifier? (y/N) " OK; OK=${OK:-N} + if [ "${OK/y/Y}" != 'Y' ] ; then + failure "Identity certifier not removed." + fi + else + failure + fi + + # delete the requested key + if gpg_authentication "--delete-key --batch --yes 0x${keyID}!" ; then + # delete key from host keyring as well + gpg_host --delete-key --batch --yes "0x${keyID}!" + # update the trustdb for the authentication keyring + gpg_authentication "--check-trustdb" - # update the trustdb for the authentication keyring - gpg_authentication "--check-trustdb" + echo + echo "Identity certifier removed." + else + failure "Problem removing identity certifier." + fi } # list the host certifiers list_certifiers() { - gpg_host --list-keys + local keys + local key + + # find trusted keys in authentication keychain + keys=$(gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-keys --with-colons --fingerprint" | \ + grep ^pub: | cut -d: -f2,5 | egrep '^(u|f):' | cut -d: -f2) + + # output keys + for key in $keys ; do + gpg_authentication "--no-options --list-options show-uid-validity --keyring ${GNUPGHOME_AUTHENTICATION}/pubring.gpg --list-key --fingerprint $key" + done } # issue command to gpg-authentication keyring -- cgit v1.2.3 From 1a17d5082447dd76f52df929bfe2f0855512c9f9 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 16 Aug 2008 00:10:25 -0700 Subject: close bug --- website/bugs/list-id-certifiers-should-run-non-priv.mdwn | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/website/bugs/list-id-certifiers-should-run-non-priv.mdwn b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn index 3cbd1af..2a3d533 100644 --- a/website/bugs/list-id-certifiers-should-run-non-priv.mdwn +++ b/website/bugs/list-id-certifiers-should-run-non-priv.mdwn @@ -13,3 +13,7 @@ It would make more sense to derive the list of trusted certifiers directly from the keyrings as seen by the non-privileged `monkeysphere` user, since this user's keyrings are what are going to judge the validity of various user IDs. + +--- + +[[bugs/done]] 2008-08-16 in a29b35e69d0fab5f2de42ed5edd9512a6552e75a -- cgit v1.2.3 From 7c31f3eda8d4a5015ad0203ecbbcb5846ffe7802 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sat, 16 Aug 2008 11:01:40 -0400 Subject: fixed typo in output. --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index fcd3114..6754b23 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -493,7 +493,7 @@ EOF show_server_key - echo "NOTE: User ID revoked, but revokation not published." + echo "NOTE: User ID revoked, but revocation not published." echo "Run '$PGRM publish-key' to publish the revocation." else failure "Problem revoking user ID." -- cgit v1.2.3 From e5a8a06d746d0844ba842d081c1898cd8f98e94e Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 16 Aug 2008 10:11:16 -0700 Subject: small tweak to why link --- website/index.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/index.mdwn b/website/index.mdwn index 8ff984d..495d963 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -9,7 +9,7 @@ yourself and the servers you administer or connect to. OpenPGP keys are tracked via GnuPG, and managed in the `known_hosts` and `authorized_keys` files used by OpenSSH for connection authentication. -[[bugs]] | [[download]] | [[news]] | [[documentation|doc]] | [why should i be interested?](/why) +[why you should be interested](/why) | [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] ## Conceptual overview ## -- cgit v1.2.3 From 7045b2d1cc40dab98eee7eeea72323cc2c79f17d Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 16 Aug 2008 10:44:46 -0700 Subject: New bug about revoke-hostname revoking the wrong hostname. --- .../revoke-hostname-revoking-wrong-userid.mdwm | 94 ++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 website/bugs/revoke-hostname-revoking-wrong-userid.mdwm diff --git a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm new file mode 100644 index 0000000..5c2c508 --- /dev/null +++ b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm @@ -0,0 +1,94 @@ +[[meta title="revoke-hostname function revokes wrong hostname user ID"]] + +It appears that the monkeysphere-server revoke-hostname function will +occasionaly revoke the wrong hostname. I say occasionally, but it +seems to be doing it pretty consistently for me at the moment: + + servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net + The following host key user ID will be revoked: + ssh://servo.finestructure.net + Are you sure you would like to revoke this user ID? (y/N) y + gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ultimate] (1) ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ultimate] (1)* ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + Please select the reason for the revocation: + 0 = No reason specified + 4 = User ID is no longer valid + Q = Cancel + (Probably you want to select 4 here) + Enter an optional description; end it with an empty line: + Reason for revocation: User ID is no longer valid + Hostname removed by monkeysphere-server 2008-08-16T17:34:02 + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ revoked] (1) ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + gpg: next trustdb check due at 2012-01-07 + sec 1024R/9EEAC276 2008-07-10 + Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276 + uid ssh://servo.finestructure.net + uid [ revoked] ssh://localhost.localdomain + uid [ revoked] ssh://jamie.rollins + uid [ revoked] asdfsdflkjsdf + uid [ revoked] ssh://asdfsdlf.safsdf + uid [ revoked] ssh://bar.baz + uid [ revoked] ssh://foo.bar + uid [ revoked] ssh:// + + NOTE: User ID revoked, but revokation not published. + Run 'monkeysphere-server publish-key' to publish the revocation. + servo:~ 0$ + +Clearly this is unacceptable. Because of more inadequacies in gpg, +you can't specify a uid to revoke from the command line. The uid +revokation requires an edit-key script, which we have used before, but +you have to specify by "number" which uid to revoke. We currently try +to guess the number from the ordering of the output of list-key. This +however is not always accurate. I don't have a good solution for a +fix at the moment. Suggestions are most welcome. It may just require +some trial and error with edit-key to come up with something workable. + +This underlines the problem that gpg sucks ass as a tool for +manipulating gpg keyrings non-interactively. This is a big problem. +We need something better that we can use. I would gladly rewrite +everything if there was a better tool out there, but I don't know of +one. + +-- Big Jimmy. -- cgit v1.2.3 From 58964698ef00ffabab886f50307b0d26de36a9ee Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sat, 16 Aug 2008 10:53:18 -0700 Subject: george updates --- doc/george/changelog | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/george/changelog b/doc/george/changelog index 0790f65..7f1d5eb 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,11 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2008-08-16 - jrollins + * removed stale branches from jrollins from the master repo + * aptitude update && aptitude full-upgrade + * restarted services to clear up dependencies on old libraries + 2008-08-13 - dkg * aptitude update && aptitude full-upgrade * restarted services to clear up dependencies on old libraries -- cgit v1.2.3 From 572454f60d125be4741e4d9c3c50d9c48be5fecf Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 17 Aug 2008 00:06:30 -0700 Subject: fix bug name. --- .../revoke-hostname-revoking-wrong-userid.mdwm | 94 ---------------------- 1 file changed, 94 deletions(-) delete mode 100644 website/bugs/revoke-hostname-revoking-wrong-userid.mdwm diff --git a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm deleted file mode 100644 index 5c2c508..0000000 --- a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwm +++ /dev/null @@ -1,94 +0,0 @@ -[[meta title="revoke-hostname function revokes wrong hostname user ID"]] - -It appears that the monkeysphere-server revoke-hostname function will -occasionaly revoke the wrong hostname. I say occasionally, but it -seems to be doing it pretty consistently for me at the moment: - - servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net - The following host key user ID will be revoked: - ssh://servo.finestructure.net - Are you sure you would like to revoke this user ID? (y/N) y - gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. - This is free software: you are free to change and redistribute it. - There is NO WARRANTY, to the extent permitted by law. - - Secret key is available. - - pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA - trust: ultimate validity: ultimate - [ultimate] (1) ssh://localhost.localdomain - [ultimate] (2). ssh://servo.finestructure.net - [ revoked] (3) ssh://jamie.rollins - [ revoked] (4) asdfsdflkjsdf - [ revoked] (5) ssh://asdfsdlf.safsdf - [ revoked] (6) ssh://bar.baz - [ revoked] (7) ssh://foo.bar - [ revoked] (8) ssh:// - - - pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA - trust: ultimate validity: ultimate - [ultimate] (1)* ssh://localhost.localdomain - [ultimate] (2). ssh://servo.finestructure.net - [ revoked] (3) ssh://jamie.rollins - [ revoked] (4) asdfsdflkjsdf - [ revoked] (5) ssh://asdfsdlf.safsdf - [ revoked] (6) ssh://bar.baz - [ revoked] (7) ssh://foo.bar - [ revoked] (8) ssh:// - - Please select the reason for the revocation: - 0 = No reason specified - 4 = User ID is no longer valid - Q = Cancel - (Probably you want to select 4 here) - Enter an optional description; end it with an empty line: - Reason for revocation: User ID is no longer valid - Hostname removed by monkeysphere-server 2008-08-16T17:34:02 - - pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA - trust: ultimate validity: ultimate - [ revoked] (1) ssh://localhost.localdomain - [ultimate] (2). ssh://servo.finestructure.net - [ revoked] (3) ssh://jamie.rollins - [ revoked] (4) asdfsdflkjsdf - [ revoked] (5) ssh://asdfsdlf.safsdf - [ revoked] (6) ssh://bar.baz - [ revoked] (7) ssh://foo.bar - [ revoked] (8) ssh:// - - gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model - gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u - gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u - gpg: next trustdb check due at 2012-01-07 - sec 1024R/9EEAC276 2008-07-10 - Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276 - uid ssh://servo.finestructure.net - uid [ revoked] ssh://localhost.localdomain - uid [ revoked] ssh://jamie.rollins - uid [ revoked] asdfsdflkjsdf - uid [ revoked] ssh://asdfsdlf.safsdf - uid [ revoked] ssh://bar.baz - uid [ revoked] ssh://foo.bar - uid [ revoked] ssh:// - - NOTE: User ID revoked, but revokation not published. - Run 'monkeysphere-server publish-key' to publish the revocation. - servo:~ 0$ - -Clearly this is unacceptable. Because of more inadequacies in gpg, -you can't specify a uid to revoke from the command line. The uid -revokation requires an edit-key script, which we have used before, but -you have to specify by "number" which uid to revoke. We currently try -to guess the number from the ordering of the output of list-key. This -however is not always accurate. I don't have a good solution for a -fix at the moment. Suggestions are most welcome. It may just require -some trial and error with edit-key to come up with something workable. - -This underlines the problem that gpg sucks ass as a tool for -manipulating gpg keyrings non-interactively. This is a big problem. -We need something better that we can use. I would gladly rewrite -everything if there was a better tool out there, but I don't know of -one. - --- Big Jimmy. -- cgit v1.2.3 From 72a88981d0fbabb60b6094b43fb6e87b141e8b15 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Sun, 17 Aug 2008 00:13:31 -0700 Subject: really change bug name now --- .../revoke-hostname-revoking-wrong-userid.mdwn | 94 ++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 website/bugs/revoke-hostname-revoking-wrong-userid.mdwn diff --git a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn new file mode 100644 index 0000000..847b613 --- /dev/null +++ b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn @@ -0,0 +1,94 @@ +[[meta title="revoke-hostname function revokes wrong hostname user ID"]] + +It appears that the monkeysphere-server revoke-hostname function will +occasionaly revoke the wrong hostname. I say occasionally, but it +seems to be doing it pretty consistently for me at the moment: + + servo:~ 0$ sudo monkeysphere-server n- servo.finestructure.net + The following host key user ID will be revoked: + ssh://servo.finestructure.net + Are you sure you would like to revoke this user ID? (y/N) y + gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. + This is free software: you are free to change and redistribute it. + There is NO WARRANTY, to the extent permitted by law. + + Secret key is available. + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ultimate] (1) ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ultimate] (1)* ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + Please select the reason for the revocation: + 0 = No reason specified + 4 = User ID is no longer valid + Q = Cancel + (Probably you want to select 4 here) + Enter an optional description; end it with an empty line: + Reason for revocation: User ID is no longer valid + Hostname removed by monkeysphere-server 2008-08-16T17:34:02 + + pub 1024R/9EEAC276 created: 2008-07-10 expires: never usage: CA + trust: ultimate validity: ultimate + [ revoked] (1) ssh://localhost.localdomain + [ultimate] (2). ssh://servo.finestructure.net + [ revoked] (3) ssh://jamie.rollins + [ revoked] (4) asdfsdflkjsdf + [ revoked] (5) ssh://asdfsdlf.safsdf + [ revoked] (6) ssh://bar.baz + [ revoked] (7) ssh://foo.bar + [ revoked] (8) ssh:// + + gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model + gpg: depth: 0 valid: 1 signed: 2 trust: 0-, 0q, 0n, 0m, 0f, 1u + gpg: depth: 1 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 2f, 0u + gpg: next trustdb check due at 2012-01-07 + sec 1024R/9EEAC276 2008-07-10 + Key fingerprint = C094 43E0 6882 8BE2 E9AD 516C 45CF 974D 9EEA C276 + uid ssh://servo.finestructure.net + uid [ revoked] ssh://localhost.localdomain + uid [ revoked] ssh://jamie.rollins + uid [ revoked] asdfsdflkjsdf + uid [ revoked] ssh://asdfsdlf.safsdf + uid [ revoked] ssh://bar.baz + uid [ revoked] ssh://foo.bar + uid [ revoked] ssh:// + + NOTE: User ID revoked, but revokation not published. + Run 'monkeysphere-server publish-key' to publish the revocation. + servo:~ 0$ + +Clearly this is unacceptable. Because of more inadequacies in gpg, +you can't specify a uid to revoke from the command line. The uid +revokation requires an edit-key script, which we have used before, but +you have to specify by "number" which uid to revoke. We currently try +to guess the number from the ordering of the output of list-key. This +however is not always accurate. I don't have a good solution for a +fix at the moment. Suggestions are most welcome. It may just require +some trial and error with edit-key to come up with something workable. + +This underlines the problem that gpg sucks ass as a tool for +manipulating gpg keyrings non-interactively. This is a big problem. +We need something better that we can use. I would gladly rewrite +everything if there was a better tool out there, but I don't know of +one. + +-- Big Jimmy. -- cgit v1.2.3 From b3e1bb92aa62bf312c02c2ad02b84c1795f04630 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 17 Aug 2008 22:50:57 -0400 Subject: added comment about verbosity of monkeysphere-ssh-proxycommand --- website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn b/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn index 965f198..028c8f9 100644 --- a/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn +++ b/website/bugs/monkeysphere-ssh-proxycommand-quiet-option.mdwn @@ -20,3 +20,15 @@ at least, would be for silent output to be the default and have a -v/--verbose option to get the output. Or - maybe these should be environmental variables? In any event - someway to suppress informational output would be a useful improvement. + +------ + +I'd be fine with silent mode as a default, with a more verbose mode +accessible to the user who desires it. + +I'd prefer an environment variable (e.g. `MONKEYSPHERE_VERBOSE` or +`MONKEYSPHERE_DEBUG`) over a command-line (e.g. `--verbose`) option, +personally. It's more in keeping with the model we've used in general +so far. + +--dkg -- cgit v1.2.3 From 176356a2ec9662e5500f82d13dd74ace785b786f Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 17 Aug 2008 23:16:00 -0400 Subject: added proposed resolution to "seckey2sshagent in /usr/bin" bug --- website/bugs/install-seckey2sshagent-in-usr-bin.mdwn | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn b/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn index 5b19b13..0163727 100644 --- a/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn +++ b/website/bugs/install-seckey2sshagent-in-usr-bin.mdwn @@ -25,3 +25,19 @@ part about verifying you to a server. Then it could say: if you're really interested, you can run this hacky script but we make no guarantees. -- Sir Jam Jam + +--- + +I just realized that i think i can test for the presence of [GNU-dummy +support in +GnuTLS](http://lists.gnu.org/archive/html/gnutls-devel/2008-08/msg00005.html), +which means that we can cleanly test whether the proposed [handling of +passphrase-locked secret +keys](bugs/handle-passphrase-locked-secret-keys/) is functional. With +that in mind, I'd like to propose that we could resolve this bug +simply by adding a new subcommand: `monkeysphere authkey-to-agent`, +which would fail in the absence of a functionally-patched GnuTLS. + +Would this proposal be sufficient to resolve this bug? + +--dkg -- cgit v1.2.3 From 6f3fdf1f357ae02850e875ad68aff4e338650d4c Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 17 Aug 2008 23:25:13 -0400 Subject: clarified phrasing in why page for admins; softened index link to "why". --- website/index.mdwn | 2 +- website/why.mdwn | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/website/index.mdwn b/website/index.mdwn index 495d963..6583e18 100644 --- a/website/index.mdwn +++ b/website/index.mdwn @@ -9,7 +9,7 @@ yourself and the servers you administer or connect to. OpenPGP keys are tracked via GnuPG, and managed in the `known_hosts` and `authorized_keys` files used by OpenSSH for connection authentication. -[why you should be interested](/why) | [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] +[why?](/why) | [[bugs]] | [[download]] | [[news]] | [[documentation|doc]] ## Conceptual overview ## diff --git a/website/why.mdwn b/website/why.mdwn index 7f69614..3f6aa7c 100644 --- a/website/why.mdwn +++ b/website/why.mdwn @@ -36,8 +36,8 @@ you keep them from getting the big scary warning messages? Have you ever wanted to allow a colleague key-based access to a machine, *without* needing to have a copy of their public key on hand? -Have you ever wanted to be able to revoke the ability of a key to -authenticate across the entire infrastructure you manage, without +Have you ever wanted to be able to revoke the ability of a user's key +to authenticate across the entire infrastructure you manage, without touching each host by hand? ## What's the connection? ## -- cgit v1.2.3 From ced3f32242a7f06a6ccb131e7ec500c95441577d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 17 Aug 2008 23:40:12 -0400 Subject: adding a to-do item for work on the web site. --- website/bugs/add-man-pages-to-website.mdwn | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 website/bugs/add-man-pages-to-website.mdwn diff --git a/website/bugs/add-man-pages-to-website.mdwn b/website/bugs/add-man-pages-to-website.mdwn new file mode 100644 index 0000000..4a8d2e2 --- /dev/null +++ b/website/bugs/add-man-pages-to-website.mdwn @@ -0,0 +1,12 @@ +[[meta title="Add man pages to web site"]] + +We should publish the various monkeysphere man pages in browsable form +somewhere under http://monkeysphere.info/. Ideally, this would be +updated automatically from the sources for the official man pages +themselves. + +This strikes me as an ikiwiki subproject (implementing a man2html wiki +compilation language perhaps?). + +Interestingly, [ikiwiki's own man page](http://ikiwiki.info/usage/) +appears to be written in markdown and then converted to nroff. -- cgit v1.2.3 From 26ad8fe480056709dacf9e06e8151de167a908ab Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Sun, 17 Aug 2008 23:47:43 -0400 Subject: fixing usage for gen-subkey; allowing --help for monkeysphere (to match monkeysphere-server behavior). --- man/man1/monkeysphere.1 | 14 ++++++++------ src/monkeysphere | 4 ++-- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/man/man1/monkeysphere.1 b/man/man1/monkeysphere.1 index fe4fd36..db35a38 100644 --- a/man/man1/monkeysphere.1 +++ b/man/man1/monkeysphere.1 @@ -52,12 +52,14 @@ ID, 1 if no matching keys were found at all, and 2 if matching keys were found but none were acceptable. `a' may be used in place of `update-authorized_keys'. .TP -.B gen-subkey KEYID -Generate an authentication subkey. For the primary key with the -specified key ID, generate a subkey with "authentication" capability -that can be used for monkeysphere transactions. An expiration length -can be specified with the `-e' or `--expire' option (prompt -otherwise). `g' may be used in place of `gen-subkey'. +.B gen-subkey [KEYID] +Generate an authentication subkey for a private key in your GnuPG +keyring. For the primary key with the specified key ID, generate a +subkey with "authentication" capability that can be used for +monkeysphere transactions. An expiration length can be specified with +the `-e' or `--expire' option (prompt otherwise). If no key ID is +specified, but only one key exists in the secret keyring, that key +will be used. `g' may be used in place of `gen-subkey'. .TP .B help Output a brief usage summary. `h' or `?' may be used in place of diff --git a/src/monkeysphere b/src/monkeysphere index f959a38..303dc8d 100755 --- a/src/monkeysphere +++ b/src/monkeysphere @@ -39,7 +39,7 @@ MonkeySphere client tool. subcommands: update-known_hosts (k) [HOST]... update known_hosts file update-authorized_keys (a) update authorized_keys file - gen-subkey (g) KEYID generate an 'a' capable subkey + gen-subkey (g) [KEYID] generate an authentication subkey --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire help (h,?) this help @@ -288,7 +288,7 @@ case $COMMAND in gen_subkey "$@" ;; - 'help'|'h'|'?') + '--help'|'help'|'-h'|'h'|'?') usage ;; -- cgit v1.2.3 From 59d3a09628ae2cbf90cd34265edb438728b40ea3 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 18 Aug 2008 08:48:16 -0700 Subject: rewording but report. --- .../revoke-hostname-revoking-wrong-userid.mdwn | 26 +++++++++++----------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn index 847b613..f785a9d 100644 --- a/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn +++ b/website/bugs/revoke-hostname-revoking-wrong-userid.mdwn @@ -76,19 +76,19 @@ seems to be doing it pretty consistently for me at the moment: Run 'monkeysphere-server publish-key' to publish the revocation. servo:~ 0$ -Clearly this is unacceptable. Because of more inadequacies in gpg, -you can't specify a uid to revoke from the command line. The uid -revokation requires an edit-key script, which we have used before, but -you have to specify by "number" which uid to revoke. We currently try -to guess the number from the ordering of the output of list-key. This -however is not always accurate. I don't have a good solution for a -fix at the moment. Suggestions are most welcome. It may just require -some trial and error with edit-key to come up with something workable. +Clearly this is unacceptable. gpg does not let you can't specify a +uid to revoke from the command line. The uid revokation can only be +done through edit-key. We do edit-key scripting in other contexts, +but to revoke a user id you have to specify the uid by "number". We +currently try to guess the number from the ordering of the output of +list-key. However, this output does not appear to coincide with the +ordering in edit-key. I don't have a good solution or fix at the +moment. Suggestions are most welcome. It may just require some trial +and error with edit-key to come up with something workable. -This underlines the problem that gpg sucks ass as a tool for -manipulating gpg keyrings non-interactively. This is a big problem. -We need something better that we can use. I would gladly rewrite -everything if there was a better tool out there, but I don't know of -one. +This underlines the problem that gpg is currently not very well suited +for manipulating gpg keyrings non-interactively. It's possible that I +just haven't figured out how to do it yet, but it's not very clear if +it is possible. It would be nice to have some alternate tools to use. -- Big Jimmy. -- cgit v1.2.3 From 1d0c202737a733f958ba0b5c8851f3a3d3de62ca Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 18 Aug 2008 09:41:10 -0700 Subject: add loud warning about bug in revoke-hostname --- src/monkeysphere-server | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 6754b23..bc8be05 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -446,6 +446,15 @@ revoke_hostname() { failure "You must specify a hostname to revoke." fi + echo "WARNING: There is a known bug in this function." + echo "This function has been known to occasionally revoke the wrong user ID." + echo "Please see the following bug report for more information:" + echo "http://monkeysphere.info/bugs/revoke-hostname-revoking-wrong-userid/" + read -p "Are you sure you would like to proceed? (y/N) " OK; OK=${OK:=N} + if [ ${OK/y/Y} != 'Y' ] ; then + failure "aborting." + fi + userID="ssh://${1}" fingerprint=$(fingerprint_server_key) -- cgit v1.2.3 From 10f6d1c221722f3bb64fc904f8010d4ff7ed8a25 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 12:45:36 -0400 Subject: cleaning up changelog in preparation for 0.8-1 release. --- debian/changelog | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/debian/changelog b/debian/changelog index af4d94b..ecb2f16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,23 +1,24 @@ -monkeysphere (0.8-1) UNRELEASED; urgency=low +monkeysphere (0.8-1) experimental; urgency=low [ Daniel Kahn Gillmor ] * debian/control: switched Vcs-Git to use "centralized" git repo instead of my own. * More monkeysphere-server diagnostics * monkeysphere --gen-subkey now guesses what KeyID you meant. - * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey works + * added Recommends: ssh-askpass to ensure monkeysphere --gen-subkey + works sensibly under X11 [ Jameson Graef Rollins ] - * fix another bug for when ssh key files are missing. + * fix another bug when known_hosts files are missing. * sort processed keys so that "good" keys are processed after "bad" keys. This will prevent malicious bad keys from causing good keys to be removed from key files. * enabled host key publication. * added checking of gpg.conf for keyserver * new functions to add/revoke host key user IDs - * improved list-certifiers function (now non-priviledged) + * improved list-certifiers function (now non-privileged) - -- Jameson Graef Rollins Fri, 15 Aug 2008 15:57:14 -0700 + -- Daniel Kahn Gillmor Mon, 18 Aug 2008 12:43:37 -0400 monkeysphere (0.7-1) experimental; urgency=low -- cgit v1.2.3 From a1f164e814bb787ba4081ccdd18df9258d4831ed Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 12:55:15 -0400 Subject: notes immediately after 0.8-1 release. --- doc/george/changelog | 6 ++++++ website/news/release-0.8-1.mdwn | 5 +++++ 2 files changed, 11 insertions(+) create mode 100644 website/news/release-0.8-1.mdwn diff --git a/doc/george/changelog b/doc/george/changelog index 7f1d5eb..2c32703 100644 --- a/doc/george/changelog +++ b/doc/george/changelog @@ -7,6 +7,12 @@ * changes to this system (first command at top, last at bottom) * ****************************************************************************** +2008-08-18 - dkg + * moved monkeysphere apt repo entry to + /etc/apt/sources.list.d/monkeysphere.list + * aptitude update && aptitude full-upgrade (including monkeysphere + 0.8-1) + 2008-08-16 - jrollins * removed stale branches from jrollins from the master repo * aptitude update && aptitude full-upgrade diff --git a/website/news/release-0.8-1.mdwn b/website/news/release-0.8-1.mdwn new file mode 100644 index 0000000..1ecdbe9 --- /dev/null +++ b/website/news/release-0.8-1.mdwn @@ -0,0 +1,5 @@ +[[meta title="MonkeySphere 0.7-1 released!"]] + +MonkeySphere 0.8-1 has been released. This release contains bugfixes, +some UI re-arrangement, and new features for `monkeysphere-server`, +among other things. [[download]] it now! -- cgit v1.2.3 From 0e12dd66f1d450d773c5e4403739371ef03860a8 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 12:56:19 -0400 Subject: fixing title of 0.8-1 release announcement. --- website/news/release-0.8-1.mdwn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/website/news/release-0.8-1.mdwn b/website/news/release-0.8-1.mdwn index 1ecdbe9..ed4ed7d 100644 --- a/website/news/release-0.8-1.mdwn +++ b/website/news/release-0.8-1.mdwn @@ -1,4 +1,4 @@ -[[meta title="MonkeySphere 0.7-1 released!"]] +[[meta title="MonkeySphere 0.8-1 released!"]] MonkeySphere 0.8-1 has been released. This release contains bugfixes, some UI re-arrangement, and new features for `monkeysphere-server`, -- cgit v1.2.3 From cbcc9ff2a7cf6b398a977a873c5c85db36ba05fd Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 18 Aug 2008 10:13:42 -0700 Subject: fixed bad bug in user id processing that prevented bad primary keys from being properly handled. --- debian/changelog | 7 +++++++ src/common | 25 ++++++++++--------------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/debian/changelog b/debian/changelog index ecb2f16..828973f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +monkeysphere (0.9-1) experimental; urgency=low + + * fixed bug in user id processing that prevented bad primary keys from + being properly removed. + + -- Jameson Graef Rollins Mon, 18 Aug 2008 10:13:36 -0700 + monkeysphere (0.8-1) experimental; urgency=low [ Daniel Kahn Gillmor ] diff --git a/src/common b/src/common index bb988f7..9a03b9c 100644 --- a/src/common +++ b/src/common @@ -393,29 +393,24 @@ process_user_id() { ;; 'uid') # user ids if [ "$lastKey" != pub ] ; then - log " - got a user ID after a sub key! user IDs should only follow primary keys!" - continue - fi - # don't bother with a uid if there is no valid or reasonable primary key. - if [ "$keyOK" != true ] ; then + log " - got a user ID after a sub key?! user IDs should only follow primary keys!" continue fi # if an acceptable user ID was already found, skip - if [ "$uidOK" ] ; then - continue - fi - # if the user ID does not match, skip - if [ "$(echo "$uidfpr" | gpg_unescape)" != "$userID" ] ; then + if [ "$uidOK" = 'true' ] ; then continue fi - # if the user ID validity is not ok, skip - if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + # if the user ID does matches... + if [ "$(echo "$uidfpr" | gpg_unescape)" = "$userID" ] ; then + # and the user ID validity is ok + if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + # mark user ID acceptable + uidOK=true + fi + else continue fi - # mark user ID acceptable - uidOK=true - # output a line for the primary key # 0 = ok, 1 = bad if [ "$keyOK" -a "$uidOK" -a "$lastKeyOK" ] ; then -- cgit v1.2.3 From d16c5795ebdfc369cc184448e3e57d850086f0a4 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 18 Aug 2008 10:57:48 -0700 Subject: fix bug i accidentally introduced in the diagnostic function --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index bc8be05..ea94618 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -539,7 +539,7 @@ diagnostics() { # FIXME: what's the correct, cross-platform answer? sshd_config=/etc/ssh/sshd_config - seckey=$(fingerprint_server_key) + seckey=$(gpg_host --list-secret-keys --with-colons --fixed-list-mode) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) # warn when anything is 2 months away from expiration -- cgit v1.2.3 From 38be21fd599fc114d05f64fdf8643f2a2ac9a18e Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 14:09:34 -0400 Subject: re-added fingerprint output during diagnostics. --- src/monkeysphere-server | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/monkeysphere-server b/src/monkeysphere-server index ea94618..052e6de 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -539,7 +539,7 @@ diagnostics() { # FIXME: what's the correct, cross-platform answer? sshd_config=/etc/ssh/sshd_config - seckey=$(gpg_host --list-secret-keys --with-colons --fixed-list-mode) + seckey=$(gpg_host --list-secret-keys --fingerprint --with-colons --fixed-list-mode) keysfound=$(echo "$seckey" | grep -c ^sec:) curdate=$(date +%s) # warn when anything is 2 months away from expiration -- cgit v1.2.3 From d8ece7d101fb16c99dfcc1224cc48f2c9cd4024d Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 15:21:11 -0400 Subject: added 'monkeysphere-server extend-key' subcommand --- debian/changelog | 7 +++++- man/man8/monkeysphere-server.8 | 29 +++++++++++++++++------ src/common | 22 +++++++++++++++++ src/monkeysphere-server | 54 ++++++++++++++++++++++++++++-------------- 4 files changed, 86 insertions(+), 26 deletions(-) diff --git a/debian/changelog b/debian/changelog index 828973f..40172aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,9 +1,14 @@ monkeysphere (0.9-1) experimental; urgency=low + [ Daniel Kahn Gillmor ] + * implemented "monkeysphere-server extend-key" to adjust expiration + dates. + + [ Jameson Graef Rollins ] * fixed bug in user id processing that prevented bad primary keys from being properly removed. - -- Jameson Graef Rollins Mon, 18 Aug 2008 10:13:36 -0700 + -- Daniel Kahn Gillmor Mon, 18 Aug 2008 14:59:56 -0400 monkeysphere (0.8-1) experimental; urgency=low diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 8e7278b..416cc87 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -36,13 +36,28 @@ specified, then all accounts on the system are processed. `u' may be used in place of `update-users'. .TP .B gen-key [HOSTNAME] -Generate a OpenPGP key pair for the host. If HOSTNAME is not -specified, then the system fully-qualified domain name will be user. -An alternate key bit length can be specified with the `-l' or -`--length' option (default 2048). An expiration length can be -specified with the `-e' or `--expire' option (prompt otherwise). A -key revoker fingerprint can be specified with the `-r' or `--revoker' -option. `g' may be used in place of `gen-key'. +Generate a OpenPGP key for the host. If HOSTNAME is not specified, +then the system fully-qualified domain name will be user. An +alternate key bit length can be specified with the `-l' or `--length' +option (default 2048). An expiration length can be specified with the +`-e' or `--expire' option (prompt otherwise). The expiration format +is the same as that of \fBextend-key\fP, below. A key revoker +fingerprint can be specified with the `-r' or `--revoker' option. `g' +may be used in place of `gen-key'. +.TP +.B extend-key EXPIRE +Extend the validity of the OpenPGP key for the host until EXPIRE from +the present. If EXPIRE is not specified, then the user will be +prompted for the extension term. Expiration is specified like GnuPG +does: +.nf + 0 = key does not expire + = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +.fi +`e' may be used in place of `extend-key'. .TP .B add-hostname HOSTNAME Add a hostname user ID to the server host key. `n+' may be used in diff --git a/src/common b/src/common index 9a03b9c..54ea9cb 100644 --- a/src/common +++ b/src/common @@ -83,6 +83,28 @@ gpg_escape() { sed 's/:/\\x3a/g' } +# prompt for GPG-formatted expiration, and emit result on stdout +get_gpg_expiration() { + local keyExpire= + + cat >&2 < = key expires in n days + w = key expires in n weeks + m = key expires in n months + y = key expires in n years +EOF + while [ -z "$keyExpire" ] ; do + read -p "Key is valid for? (0) " keyExpire + if ! test_gpg_expire ${keyExpire:=0} ; then + echo "invalid value" >&2 + unset keyExpire + fi + done + echo "$keyExpire" +} + # remove all lines with specified string from specified file remove_line() { local file diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 052e6de..91e2121 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -4,6 +4,7 @@ # # The monkeysphere scripts are written by: # Jameson Rollins +# Daniel Kahn Gillmor # # They are Copyright 2008, and are all released under the GPL, version 3 # or later. @@ -43,6 +44,7 @@ subcommands: --length (-l) BITS key length in bits (2048) --expire (-e) EXPIRE date to expire --revoker (-r) FINGERPRINT add a revoker + extend-key (e) EXPIRE extend expiration to EXPIRE add-hostname (n+) NAME[:PORT] add hostname user ID to server key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID show-key (s) output all server host key information @@ -296,22 +298,9 @@ gen_key() { # prompt about key expiration if not specified if [ -z "$keyExpire" ] ; then - cat < = key expires in n days - w = key expires in n weeks - m = key expires in n months - y = key expires in n years -EOF - while [ -z "$keyExpire" ] ; do - read -p "Key is valid for? (0) " keyExpire - if ! test_gpg_expire ${keyExpire:=0} ; then - echo "invalid value" - unset keyExpire - fi - done - elif ! test_gpg_expire "$keyExpire" ; then + keyExpire=$(get_gpg_expiration) + fi + if ! test_gpg_expire "$keyExpire" ; then failure "invalid key expiration value '$keyExpire'." fi @@ -373,6 +362,31 @@ EOF log "Private SSH host key output to file: ${VARLIB}/ssh_host_rsa_key" } +# extend the lifetime of a host key: +extend_key() { + local fpr=$(fingerprint_server_key) + local extendTo="$1" + + if [ -z "$fpr" ] ; then + failure "You don't appear to have a MonkeySphere host key on this server. Try 'monkeysphere-server gen-key' first." + fi + + if [ -z "$extendTo" ]; then + extendTo=$(get_gpg_expiration) + fi + if ! test_gpg_expire "$extendTo" ; then + failure "invalid expiration value '$extendTo'." + fi + + gpg_host --quiet --command-fd 0 --edit-key "$fpr" < Date: Mon, 18 Aug 2008 15:41:12 -0400 Subject: collapsed "show-fingerprint" with "show-key" for monkeysphere-server. --- man/man8/monkeysphere-server.8 | 4 ---- src/monkeysphere-server | 19 +++++++++++++------ 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/man/man8/monkeysphere-server.8 b/man/man8/monkeysphere-server.8 index 416cc87..5985f24 100644 --- a/man/man8/monkeysphere-server.8 +++ b/man/man8/monkeysphere-server.8 @@ -71,10 +71,6 @@ in place of `revoke-hostname'. Output gpg information about host's OpenPGP key. `s' may be used in place of `show-key'. .TP -.B fingerprint -Output just the fingerprint for the host's OpenPGP key. `f' may be -used in place of `fingerprint'. -.TP .B publish-key Publish the host's OpenPGP key to the keyserver. `p' may be used in place of `publish-key'. diff --git a/src/monkeysphere-server b/src/monkeysphere-server index 91e2121..99e5f80 100755 --- a/src/monkeysphere-server +++ b/src/monkeysphere-server @@ -48,7 +48,6 @@ subcommands: add-hostname (n+) NAME[:PORT] add hostname user ID to server key revoke-hostname (n-) NAME[:PORT] revoke hostname user ID show-key (s) output all server host key information - fingerprint (f) output just the key fingerprint publish-key (p) publish server host key to keyserver diagnostics (d) report on server monkeysphere status @@ -113,8 +112,20 @@ fingerprint_server_key() { # output key information show_server_key() { local fingerprint + local tmpkey + fingerprint=$(fingerprint_server_key) - gpg_host --fingerprint --list-secret-key "$fingerprint" + gpg_authentication "--fingerprint --list-key $fingerprint" + + # dumping to a file named ' ' so that the ssh-keygen output + # doesn't claim any potentially bogus hostname(s): + tmpkey=$(mktemp -d) + gpg_authentication "--export $fingerprint" | openpgp2ssh "$fingerprint" 2>/dev/null > "$tmpkey/ " + echo -n "ssh fingerprint: " + (cd "$tmpkey" && ssh-keygen -l -f ' ') + rm -rf "$tmpkey" + echo -n "OpenPGP fingerprint: " + echo "$fingerprint" } # update authorized_keys for users @@ -899,10 +910,6 @@ case $COMMAND in show_server_key ;; - 'show-fingerprint'|'fingerprint'|'f') - fingerprint_server_key - ;; - 'publish-key'|'publish'|'p') publish_server_key ;; -- cgit v1.2.3 From 60b3dfea5a6a0445dfe8f117cf68a634415b70a4 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 15:43:54 -0400 Subject: updated debian/changelog in preparation for 0.9-1 release. --- debian/changelog | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 40172aa..9d2a13d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,13 +2,15 @@ monkeysphere (0.9-1) experimental; urgency=low [ Daniel Kahn Gillmor ] * implemented "monkeysphere-server extend-key" to adjust expiration - dates. + date of host key. + * removed "monkeysphere-server fingerprint". Use "monkeysphere-server + show-key" instead. [ Jameson Graef Rollins ] * fixed bug in user id processing that prevented bad primary keys from being properly removed. - -- Daniel Kahn Gillmor Mon, 18 Aug 2008 14:59:56 -0400 + -- Daniel Kahn Gillmor Mon, 18 Aug 2008 15:42:12 -0400 monkeysphere (0.8-1) experimental; urgency=low -- cgit v1.2.3 From c5998e1bd287c1a57e9962f8d17a7431544a9ee2 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Mon, 18 Aug 2008 15:47:36 -0400 Subject: release announcement for 0.9-1. --- website/news/release-0.9-1.mdwn | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 website/news/release-0.9-1.mdwn diff --git a/website/news/release-0.9-1.mdwn b/website/news/release-0.9-1.mdwn new file mode 100644 index 0000000..8a51f42 --- /dev/null +++ b/website/news/release-0.9-1.mdwn @@ -0,0 +1,8 @@ +[[meta title="MonkeySphere 0.9-1 released!"]] + +# MonkeySphere 0.9-1 released! # + +MonkeySphere 0.9-1 has been released. This release contains a serious +bugfix related to host key expiration, and provides the ability for +server administrators to extend the lifetime of their keys. +[[download]] it now! -- cgit v1.2.3 From f4d2a81d7fa375af270b95da25acea8b0a0150e5 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 18 Aug 2008 13:16:21 -0700 Subject: stupid big jimmy. fix bug in previous bug fix. --- debian/changelog | 6 ++++++ src/common | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/debian/changelog b/debian/changelog index 9d2a13d..7e1af90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +monkeysphere (0.10-1) experimental; urgency=low + + * Fix bug in previous uid processing bug fix (stupid stupid). + + -- Jameson Graef Rollins Mon, 18 Aug 2008 13:16:15 -0700 + monkeysphere (0.9-1) experimental; urgency=low [ Daniel Kahn Gillmor ] diff --git a/src/common b/src/common index 54ea9cb..9d7deb7 100644 --- a/src/common +++ b/src/common @@ -425,7 +425,7 @@ process_user_id() { # if the user ID does matches... if [ "$(echo "$uidfpr" | gpg_unescape)" = "$userID" ] ; then # and the user ID validity is ok - if [ "$validity" != 'u' -a "$validity" != 'f' ] ; then + if [ "$validity" = 'u' -o "$validity" = 'f' ] ; then # mark user ID acceptable uidOK=true fi -- cgit v1.2.3